EMET mitigations guidelines


Summary


The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform. For more information about EMET, click the following article number to view the article in the Microsoft Knowledge Base:
2458544 The Enhanced Mitigation Experience Toolkit
When EMET mitigations are applied to certain software or certain kinds of software, compatibility issues may occur because the protected software behaves similarly to how an exploit would behave. This article describes the kind of software that usually presents compatibility issues with EMET’s mitigations and a list of products that exhibited compatibility issues with one or more of the mitigations that are offered by EMET.

More Information


Generic guidelines

EMET mitigations work at a very low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they are configured to be protected by using EMET. The following is a list of the kinds of software that should not be protected by using EMET:

 
  • Anti-malware and intrusion prevention or detection software
  • Debuggers
  • Software that handles digital rights management (DRM) technologies (that is, video games)
  • Software that use anti-debugging, obfuscation, or hooking technologies
Certain host-based intrusion prevention system (HIPS) applications may provide protections that resemble those of EMET. When these applications are installed on a system together with EMET, additional configuration may be required to enable the two products to coexist.

Additionally, EMET is intended to work together with desktop applications, and you should protect only those applications that receive or handle untrusted data. System and network services are also out-of-scope for EMET. Although it is technically possible to protect these services by using EMET, we do not advise you to do this.
 

Application compatibility list

The following is a list of specific products that have compatibility issues in regards to the mitigations that are offered by EMET. You must disable specific incompatible mitigations if you want to protect the product by using EMET. Be aware that this list takes into consideration the default settings for the latest version of the product. Compatibility issues may be introduced when you apply certain add-ins or additional components to the standard software.
 

Incompatible mitigations

Product EMET 4.1 Update 1 EMET 5.2 EMET 5.5 and newer
Microsoft Teams SEHOP* SEHOP* SEHOP*, EAF+
7-Zip Console/GUI/File Manager EAF EAF EAF
AMD 62xx processors EAF EAF EAF
Beyond Trust Power Broker Not applicable EAF, EAF+, Stack Pivot EAF, EAF+, Stack Pivot
Certain AMD/ATI video drivers System ASLR=AlwaysOn System ASLR=AlwaysOn System ASLR=AlwaysOn
DropBox EAF EAF EAF
Excel Power Query, Power View, Power Map and PowerPivot EAF EAF EAF
Google Chrome SEHOP* SEHOP* SEHOP*, EAF+
Google Talk DEP, SEHOP* DEP, SEHOP* DEP, SEHOP*
Immidio Flex+ Not applicable EAF EAF
McAfee HDLP EAF EAF EAF
Microsoft Office Web Components (OWC) System DEP=AlwaysOn System DEP=AlwaysOn System DEP=AlwaysOn
Microsoft Word Heapspray Not applicable Not applicable
Oracle Javaǂ Heapspray Heapspray Heapspray
Pitney Bowes Print Audit 6 SimExecFlow SimExecFlow SimExecFlow
Siebel CRM version is 8.1.1.9 SEHOP SEHOP SEHOP
Skype EAF EAF EAF
SolarWinds Syslogd Manager EAF EAF EAF
VLC Player 2.1.3+ SimExecFlow Not applicable Not applicable
Windows Media Player MandatoryASLR, EAF, SEHOP* MandatoryASLR, EAF, SEHOP* MandatoryASLR, EAF, SEHOP*
Windows Photo Gallery Caller Not applicable Not applicable


* Only in Windows Vista and earlier versions

ǂ EMET mitigations might be incompatible with Oracle Java when they are run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
 

Frequently asked questions

Q: What are the exploits for which CVEs have been blocked by EMET?

A: The following is a partial list of the CVEs for which the known exploits are successfully blocked by EMET at the time of discovery:
 
CVE number Product family
CVE-2004-0210 Windows
CVE-2006-2492 Office
CVE-2006-3590 Office
CVE-2007-5659 Adobe Reader, Adobe Acrobat
CVE-2008-4841 Office
CVE-2009-0927 Adobe Reader, Adobe Acrobat
CVE-2009-4324 Adobe Reader, Adobe Acrobat
CVE-2010-0188 Adobe Reader, Adobe Acrobat
CVE-2010-0806 Internet Explorer
CVE-2010-1297 Adobe Flash Player, Adobe AIR, Adobe Reader, Adobe Acrobat
CVE-2010-2572 Office
CVE-2010-2883 Adobe Reader, Adobe Acrobat
CVE-2010-3333 Office
CVE-2010-3654 Adobe Flash Player
CVE-2011-0097 Office
CVE-2011-0101 Office
CVE-2011-0611 Adobe Flash Player, Adobe AIR, Adobe Reader, Adobe Acrobat
CVE-2011-1269 Office
CVE-2012-0158 Office, SQL Server, Commerce Server, Visual FoxPro, Visual Basic
CVE-2012-0779 Adobe Flash Player
CVE-2013-0640 Adobe Reader, Adobe Acrobat
CVE-2013-1331 Office
CVE-2013-1347 Internet Explorer
CVE-2013-3893 Internet Explorer
CVE-2013-3897 Internet Explorer
CVE-2013-3906 Windows, Office
CVE-2013-3918 Windows
CVE-2013-5065 Windows
CVE-2013-5330 Adobe Flash Player, Adobe AIR
CVE-2014-0322 Internet Explorer
CVE-2014-0497 Adobe Flash Player
CVE-2014-1761 Office, SharePoint
CVE-2014-1776 Internet Explorer
CVE-2015-0313 Adobe Flash Player
CVE-2015-1815 Internet Explorer


Q: How do I uninstall Microsoft EMET 5.1 by using an MSIEXEC command or a registry command?

A: See the references in the following TechNet topic:
 Q: How do I disable Watson Error Reporting (WER)?

A: See the references in the following Windows and Windows Server articles:
 
Third-party information disclaimer